Hacking, AppSec, and Bug Bounty newsletter
2019-07-23 | How to use Burp Repeater with Websockets, AssetNote’s Zoom RCE writeup, and What’s your DEF CON threat model?
Tuesday, July 23, 2019
Joseph Cox reports: emails show that CBP didn't know what was in the Perceptics breach until weeks after the media initially reported it. Quick tl;dr in this twitter thread.
Local files could be overwritten in GitLab, leading to remote command execution [182 upvotes] - $12,000 bounty for this report to GitLab by @nyangawa
Private information exposed through GraphQL filters [16 upvotes] - no bounty for this report to HackerOne by @reigertje
OTHER ARTICLES WE’RE READING
Fun thread: What's your DEF CON threat model? Winner goes to @malwaretech: “Storing the contents of all my personal devices on a public blockchain to prevent tampering.”
How to use Burp Repeater with WebSockets, summarized in two images shared by @BurpSuite
How would you like to do a code review for the Apollo11 mission? Knock yourself out, it’s on GitHub
Two US lawmakers, Sen. Ron Wyden (D-Ore.) and Rep. Eric Swalwell (D-Calif.) will speak at this year’s DEFCON Voting Village per Politico.
Team Assetnote on their Zoom RCE, discovered at the h1-65 live hacking event in Singapore.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
We’ve essentially just created a universal remote for every one of these insulin pumps in the world.